Sunday, May 4, 2014

Firefox Hacks : Extract user information in your computer with Groovy !


Firefox stores all informations in a directory (In most cases, it is in $HOME/.mozilla directory or in C:\users\MUYSER\AppData\Roaming\Mozilla\Firefox\Profiles\). For example, there is addon list, search history, cookies ... but there is also logins and passwords ! So, if someone gets the contents of this directory, it will have all your life !

In this article, we will explain which information we could retreive and how. You will see it's simple !

Source code

Source code of this paper is available on GitHub : https://github.com/drieu/GFirefoxData
Readme file describes how to build and run the project. 

Data stores in Sqlite files

How to use sqlite ?

Firefox uses SQLITE to store information. So, we found sqlite files in mozilla directory ( ex : cookies.sqlite ).To get information in theeses files, you need to know few commands.
For example :

 # cd $HOME/.mozilla/???  
 # sqlite3 cookies.sqlite  
 SQLite version 3.8.2 2013-12-06 14:53:30  
 Enter ".help" for instructions  
 Enter SQL statements terminated with a ";"  
 sqlite>  


Now, you can execute sqlite and sql commands.
Here is some useful commands :

Help

sqlite> .help

List all tables

sqlite> .tables

List fields of a table

sqlite> .schema moz_cookies

Select

sqlite> select * from  moz_cookies

Quit

sqlite> .quit

Source code to extract sqlite datas.

Sqlite files list

Now, you know how to use sqlite commands, here is a list of sqlite files that you could find in the mozilla profile directory :

cookies.sqlite
addons.sqlite
formhistory.sqlite
content-prefs.sqlite
healthreport.sqlite
permissions.sqlite
places.sqlite
signons.sqlite
webappsstore.sqlite

In next section of this article, we will see how programmaticaly, we will retreive these datas.

Get cookies list

We need a library to use SQLITE. For this article, we will use sqlite-jdbc ( https://bitbucket.org/xerial/sqlite-jdbc ). You can download jar files here

Here is simple example. You only have to change path to point to your sqlite file :

     import groovy.sql.Sql 
     def url = "jdbc:sqlite:/home/USER/tmp/.mozilla/firefox/fe31xbna.default/cookies.sqlite" 
     def sql = Sql.newInstance(url, "org.sqlite.JDBC") 
     sql.eachRow("select DISTINCT host from moz_cookies") { 
       println("host= ${it.host}") 
     } 

Get all user history

     def sql = Sql.newInstance(url, "org.sqlite.JDBC")  
     sql.eachRow("select DISTINCT value from moz_formhistory") {  
       println("value= ${it.value}")  
     }  
     println("")  

Get addons list

     def sql = Sql.newInstance(url, "org.sqlite.JDBC")  
     sql.eachRow("select DISTINCT name from addon") {  
       println("name= ${it.name}")  
     }  
     println("")  

See password

Master password stored in key3.db file. There is also signons.sqlite that contains encrypt username and password files.
Here is how to see them :


sqlite>sqlite3 signons.sqlite  
 sqlite>select hostname,usernameField,passwordField,encryptedUsername,encryptedPassword from moz_logins limit 1;  


Get passwords when no master password is set. 

You only have to go in Menu Edit -> preferences-> Security and you can saw saved passwords.
An other way to see passwords is to put key3.db and signons.sqlite and cert8.db in a new firefox profile.You will see it really simple :

1. Close firefox
2. Create a new profile with firefox ( firefox --ProfileManager )
3. Close firefox
4. Go in your new profile directory ( $HOME/.mozilla/...)
5. Replace key3.db, signons.sqlite, cert8.db by yours
6. Restart firefox
7. Then go in Menu Edit -> preferences-> Security
You will see all saved passwords !

So a good advice is to set a master password. But, it is only useful if an other person uses your computer. It can't show all your password. We will see next that store passwords even if there is a master master password isn't a good idea.

Get passwords when master password is set.

A first manner is to look at this article http://www.infond.fr/2010/04/firefox-passwords-management-leaks.html 

A second way ( more easy ) is to use Mozilla tools : http://securityxploded.com/firemaster.php

For example :

FireMaster.exe -q -b -m 3 -l 10 -c "abcdetps123" "c:\my test\firefox"

 

Conclusion

 

In this paper, we see how to get all firefox datas on your computer. Does that means that firefox is unsecure ? No. you can do the same things with other browser and application.So, you have to keep in mind which datas are on your computer.
If a person copy firefox directory for hacking purpose, it will have access to all your life !
A firefox plugin can access to informations.Do you have confidence in your plugins ?
An other important point to keep in mind datas you show to the internet like cookies.This datas can be used for commercial purpose and also by hacker to know your habits ...